The ubiquity of technology has given rise to fraudulent digital activities. According to FTC's Consumer Sentinel Network, pretending to be the government may be scammers' favorite ruse, with nearly 1.3 million reports about government imposters since 2014.
Given the amount of online fraud, securing systems is of primary importance for organizations and agencies to ensure the privacy of citizens' and users' data and money. When securing these organization systems, there are several things that we need to look at to increase the overall confidence in the system.
The foremost mechanism to ensure privacy is the Secure Onboarding of members and users of your system. Are we sure the people registering for an account on the system are truly who they say they are? Given that most of the information is already available online and with hackers, just using First Name, Last Name, SSN, and Date of Birth to confirm members' identification may not be enough for local and state government agencies like pension funds or state workforce agencies. We need a more accurate way of identifying and authenticating users. In our expertise, there are two ways to verify the identity of the end-users.
- Document-Based – In this approach, the system prompts users to scan a government-issued ID, which is then authenticated against the DMV or State Department to verify the document's authenticity. Based on the system's configuration, the user can scan their face or take a selfie which is then compared with the image in the official document. LexisNexis True ID, me, and Ping Identity Verification are examples of SaaS offerings that address Document Based Identity Verification.
- Information-Based – In this approach, data is collected by data aggregators and collated by companies such as LexisNexis and Experian. Based on this repository of information, these organizations can pose questions that only the end-user can answer - such as 'Who is the mortgage servicing company for your primary residence?' and provide a list of options for the user to select from. Another example is 'Which of these street addresses have you ever lived?' LexisNexis Instant ID Q&A and Experian Identity Verification are SaaS offerings that address Information Based Verification.
Given the recent hacks of credit agencies, the information-based approach may not work on its own for verifications. We need to use additional screening mechanisms such as LexisNexis Threat Metrix and Emailage to build a risk profile based on the machine the member is using to register for an account and the email they are using to register for an account. The industry is slowly moving towards document-based identity verification and finding new ways to address privacy concerns when users utilize facial recognition technology. In most document-based identity verification software, scanning one's face is an optional policy that can be enabled or disabled.
For our clients in the benefits administration space, Sagitec has capabilities for identity verification based on our line of business data implemented for our clients. We also plan to have LexisNexis True ID soon. Once the users are securely onboarded and we are sure they are who they say they are, securing the login information is the next step.
From an end-user or user experience perspective, security needs to be a seamless and transparent process. We seek to enhance login friction only when the risk is high.
Users logging in from the same computer and geolocation are relatively low risk, and we can collect the password and let them in. If the users are logging in from different computers or different geo locations in a short time, the risk of account theft is high as it suggests an improbable travel pattern. In these cases, we can either present a multi-factor-authentication screen (in cases of new computer or geolocation) or deny the login (unlikely travel patterns).
Based on market leadership and usage among our clients, we have integrated with Okta and Entrust IDaaS (Previously IntelliTrust) using the Open ID Connect standard. We can also integrate with other SaaS platforms depending on our clients' needs. These Identity Providers (IdPs) help in gauging the risk profile of the user logging in. We can configure the login flows to add additional friction depending on the risk profile of the user trying to log in.
We have provided support for out-of-band authentication (a type of two-factor authentication) where the user must enter a Token, confirmation on push notifications, or OTP confirmation that they receive in their respective IdP app.
Here are some advantages of our approach to member security.
- Ability to leverage multiple identity providers' risk-based authentication mechanisms (without code changes for our existing clients)
- Easy incorporation of variations of multi-factor authentication with configuration changes
- Use of stand protocols that identity providers leverage
- Easy adoption of security upgrades
With multiple fraud cases coming to light, Sagitec's goal has always been to provide market-leading security mechanisms along with our solutions. We work with our clients to provide them with multiple authentication mechanisms built with the latest technology available in the market and make it easier for our client teams to adopt.